ZIFFPAGE TITLEAttack In ProgressBy Kim S. Nash | Posted 2006-04-06 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
In moments, hackers with bot code can break into vulnerable computers, turn them into zombies, steal information and spread the infection. While you scramble to secure your network--and the vital data on it--botmasters sell access to your hacked machines
Attack In Progress
To gain an understanding of bots and botnets, what happened at Auburn University serves as a good example of how these attacks occur. In fact, according to FBI Supervisory Special Agent Kenneth McGuire, the Auburn incident had "all the earmarks of [Ancheta's] type of activity." The Auburn bots, which were based on code called Rbot/Rxbot, sought out the specific LSASS weakness in the Windows operating system. In addition, Auburn's records of the attack show malware coming from a Web site with the address resili3nt.superihost.com. Ancheta, according to the government, used the hacker name Resili3nt, and several variations—resjames, resilient24, Resilient, ResilienT, ir Resilient.
Ancheta was never under suspicion for the Auburn attack—the university didn't report the attack and the FBI did not investigate. Anyone could have launched it. But no matter the source, like all bot attacks the raid against Auburn was swift.
It arrived through Internet Relay Chat, a worldwide network of online channels that lets people exchange text messages and meet in chat rooms, either publicly or privately. IRC is the forerunner of today's instant messaging applications and has been the source of other hack attacks.
Within seconds of penetrating the university, malicious code on the invaded PC contacted an IRC channel controlled by a hacker and downloaded a server that could receive software through the File Transfer Protocol, or FTP, which transfers data and software over the Internet. Among those files was a scanner—a software probe—to find other machines to infect.
On a command from IRC, the infected PC began scanning computers on Auburn's network, looking for other computers to infect through Microsoft's LSASS bug. It sent packets of data, requests to connect, over Port 445, which Microsoft reserves as a pathway in the operating system for networked Windows PCs to share files, printers and other resources—"like going down the street knocking on doors," Wilson says. He had already closed outside access to Port 445 on Auburn's firewall after an earlier attack on that port. But with the malicious code inside the network, the firewall was helpless to stop the scans. Within minutes,
47 PCs were infected.
Wilson was tipped to the attack by Auburn's open-source intrusion detection system, Snort, which picked up the flood of data traffic on Port 445 and sent an e-mail. By examining one infected PC, he could see the attack's pattern—the same malware (FTP server, remote administration software, scanner and a chat client) kept showing up in the same Windows directory on each PC. He and his team scrambled to get the Internet Protocol addresses of the infected machines, find the network switch they were connected to and disconnect them from the campus network. But the infection was spreading so quickly that they couldn't quarantine machines fast enough.
This attack also had a twist, Wilson noticed. He saw that the chat client commandeered the buddy list from the student's instant messaging program and invited those friends to click on the link, too. Whenever the code penetrated another PC, the cycle began again.
Reviewing Snort's archived logs of the attack, Wilson remembers feeling frightened. "This was about the worst attack I'd seen," he says. "This was different from a worm or a virus. It was a live channel of communication going back and forth."
As Auburn's PCs were taken over, they sent their Internet Protocol addresses back through IRC so the various botmasters running the attack would know how many and which machines they controlled.
Alerted by the IRC messages, bots belonging to other IRC channels immediately raced to add their own malware to those freshly infected PCs using FTP, Wilson says, as if playing some life-size computer game. Messages then flew over the chat system as individual hackers took credit for penetrating PCs at specific IP addresses.
Hackers swarmed and bragged "like a bunch of schoolkids on a playground," Wilson says. He stared as the university's PCs communicated with IRC channels all over the world—from Brazil to Greece and throughout the U.S.
Several hours and 7,000 messages later, the attack ended as suddenly as it began, when the last hacker typed, "#Exit."
The invasion was over. The network traffic had died down. But Wilson was left with a hostile army of bots that he now had to subdue.